[Oisf-users] Only one alert where multiple rules should hit
Duane Howard
duane.security at gmail.com
Mon Nov 17 23:39:42 UTC 2014
After poking around more, I'm actually convinced that this is not 'one
alert when multiple should hit' and more like, 'duplicate alerts for some
reason I don't understand'.
For example, in a pcap that *should* generate 6 alerts each for ET
sid:2014636 and my custom signature sid:6000300 I end up with 6 for my
custom signature, and 12 for the ET one. I see this in reverse in some
other situations (custom one generates twice as many as the ET one, or
similar).
I can provide a pcap and discuss in more detail off list if required.
Here's some output from fast.log, I've highlighted two examples of the
sessions that are triggering twice, for a session, but it applies to all of
them:
11/14/2014-19:16:32.504795 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.18.146.177:28902 -> 222.173.114.183:8000
11/14/2014-19:16:32.505110 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.18.64.119:57347 -> 222.173.153.246:8000
11/14/2014-19:16:32.504636 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.26.130.134:12970 -> 222.173.21.225:8000
11/14/2014-19:16:32.504951 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.29.155.57:20046 -> 222.173.107.190:8000
11/14/2014-19:16:32.504473 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.31.5.222:62805 -> 222.173.45.128:8000
11/14/2014-19:16:32.505268 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.27.217.69:12308 -> 222.173.182.193:8000
11/14/2014-19:16:32.505619 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.26.130.134:12970 -> 222.173.21.225:8000
11/14/2014-19:16:32.505619 [**] [1:6000300:1] MY OTHER RULE NAME [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
172.26.130.134:12970 -> 222.173.21.225:8000
11/14/2014-19:16:32.505619 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.18.64.119:57347 -> 222.173.153.246:8000
11/14/2014-19:16:32.505619 [**] [1:6000300:1] MY OTHER RULE NAME [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
172.18.64.119:57347 -> 222.173.153.246:8000
11/14/2014-19:16:32.505619 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.29.155.57:20046 -> 222.173.107.190:8000
11/14/2014-19:16:32.505619 [**] [1:6000300:1] MY OTHER RULE NAME [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
172.29.155.57:20046 -> 222.173.107.190:8000
11/14/2014-19:16:32.505619 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.31.5.222:62805 -> 222.173.45.128:8000
11/14/2014-19:16:32.505619 [**] [1:6000300:1] MY OTHER RULE NAME [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
172.31.5.222:62805 -> 222.173.45.128:8000
11/14/2014-19:16:32.505619 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.18.146.177:28902 -> 222.173.114.183:8000
11/14/2014-19:16:32.505619 [**] [1:6000300:1] MY OTHER RULE NAME [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
172.18.146.177:28902 -> 222.173.114.183:8000
11/14/2014-19:16:32.505619 [**] [1:2014636:3] ET TROJAN
Backdoor.Win32/Poison.BI [**] [Classification: A Network Trojan was
Detected] [Priority: 1] {TCP} 172.27.217.69:12308 -> 222.173.182.193:8000
11/14/2014-19:16:32.505619 [**] [1:6000300:1] MY OTHER RULE NAME [**]
[Classification: A Network Trojan was Detected] [Priority: 1] {TCP}
172.27.217.69:12308 -> 222.173.182.193:8000
./d
On Mon, Nov 17, 2014 at 3:09 PM, Victor Julien <lists at inliniac.net> wrote:
> On 11/17/2014 08:26 PM, Duane Howard wrote:
> > I have a pcap from a sample that I have a few similar rules for, they
> > effectively look for the same content, in slightly different ways (one
> > internal, one from VRT). When I run Snort over the pcap this particular
> > session, I get an alert for each signature in question. When using
> > Suricata I only get an alert from one of these rules. Does Suricata bail
> > on rule comparisons after a single alert occurs?
>
> No. There must be another reason the other rules don't match. What
> happens if you run the rules individually?
>
> The only thing that could cause us to stop inspecting rules prematurely
> is when a 'pass' rule matches.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20141117/68423f50/attachment-0002.html>
More information about the Oisf-users
mailing list